Intune ADMX template is now in public preview, please read about the details from Maurice Daly’s post Configure ADMX settings with Microsoft Intune Administrative Templates ,  I have tested 151 settings in my test tenant and want import them to another tenant. But wait.. there is no export or import button? (in this moment). So I think of use Graph API and PowerShell.

I don’t cover the basic of Intune Graph in this post, if this is first time you use Intune Graph API, please take a look Dave Falkus’s PowerShell Intune Samples and Intune PowerShell SDK

TL;DR

If you don’t want read this long post and just want to run export and import script, you can find them in my GitHub: https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/DeviceConfiguration

How to use these scripts

  1. Important: Please check you don’t have any ADMX template profiles have same name, if there is please change them.
  2. Run DeviceConfigurationADMX_Export.ps1
  3. Input your Azure AD credentials of tenant A
  4. Input export folder name, you should get results like this

  5. (Optional) Delete those profile folders if you don’t wish to import them, and change folder name if want to change ADMX template profile name
  6. Open another PowerShell command window
  7. Run DeviceConfigurationADMX_Import_FromJSON.ps1
  8. Input your Azure AD credential of tenant B
  9. Input the same folder as export folder in step 4

    You should able to see those ADMX template profiles are created in your tenant.

Now here is a long version of the story

Properties

For start, I need to find out how to get those ADMX templates information, I use my browser developer tool (F12) network monitor to find out what is REST URI and request header when configure ADMX template settings, then I test those commands in Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer

I am using this ADMX – TEST01 as example, and I have configured two settings in this profile:

  • Access data sources across domains is configured as Enabled.
  • Allow cut, copy or paste operation from the clipboard via script is configured as Disabled

When we import ADMX template profile, we need two or three properties, depends if configured as Disable or Enabled

  1. Each single ADMX policy setting has it’s own definition id.
  2. If configured as Enabled and has more options to choose, we will need presentation ID, it presents text box ” *Access data sources across domains”
  3. We need presentation Value property to define which settings we use for Enabled, example Prompt or Enable or Disable, or anything else.

     

 

Export settings

We will use Graph Explorer to find all those properties that we will need.

  • List all configured ADMX Templates profiles
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/

  • Let’s take this profile “ADMX – TEST01” for example, response of this profile id is 5133abf8-1026-48e7-a59c-0704fb2a9d04 , let’s get only details of this profile
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04

  • List what ADMX policy settings are configured
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues
  • Now that we have policy configuration id, we can list what setting has configured, from this we get the Value property
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4/presentationValues
    If setting has configured as Enabled , you will get response with value results.
    We only need @odata.type and value properties, we don’t need lastModifiedDataTime, createdDateTime and id.

     

    If this setting is configured as disabled, presentation Values response result is empty.

NOTE: Presentation Value can be also empty for those settings that have only disable or enable options, example “Allow printers to be published”

  • If Presentation Value is not empty, we continue get presentation id of this setting
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4/presentationValues?$expand=presentation
  • Now we also need this ADMX setting definition id, and we also get displayName of the setting
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4//definition

    Now that we have everything we need, this is exported json file when using my PowerShell script.

    {
       "enabled":true,
       "presentationValues":[  
          {  
             
        "@odata.type":  "#microsoft.graph.groupPolicyPresentationValueText",
        "value":  "1"
    ,
             "[email protected]":"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('128b67df-30bf-4f5f-80c4-83c60163db05')/presentations('2ec9cd40-8ac8-4c6d-a547-7fda619491b8')"
          }
       ],
       "[email protected]":"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('128b67df-30bf-4f5f-80c4-83c60163db05')"
    }
    

Import settings

  • Create new ADMX profile policy
    POST https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations
    Request body:

    {
      "description": "",
      "displayName": "ADMX - Test02"
    }

  • Now we got the id of the new policy configuration we just created
  • Create/Import the settings
    POST https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations/2fd791ad-af52-44ba-9da6-de122c8cda8b/definitionValues
    Request body, here we copy contents of the json file we exported earlier.

 

Enjoy testing, if you find some settings doesn’t work with my script, please give comments and describe which setting and what configuration. Thanks!

(1300)

comments
  • Rkast
    Posted at 11:05 January 20, 2019
    Rkast
    Reply
    Author

    Thanks for the great blog and script! Think many will benefit.

    • Zeng Yinghua
      Posted at 17:29 January 21, 2019
      Zeng Yinghua
      Reply
      Author

      Thanks, I have updated the script today, found a bug myself. 🙂

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.